Category Started On Completed On Duration Cuckoo Version
FILE 2016-11-06 21:46:55.282397 2016-11-06 21:52:47.747142 352 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
windowsxp1 windowsxp1 VirtualBox 2016-11-06 21:49:54 2016-11-06 21:52:47

File Details

File name invoice_J-19161427.doc
File size 43008 bytes
File type Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: Administrator, Template: Normal.dot, Last Saved By: User, Revision Number: 8, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Tue Feb 16 11:50:00 2016, Last Saved Time/Date: Tue Feb 16 11:52:00 2016, Number of Pages: 1, Number of Words: 87, Number of Characters: 499, Security: 0
CRC32 42245577
MD5 d2e4984e6ee44a756abfa59f775cc12a
SHA1 674d9b8dc93e0e75ac4561df6ee388c65e2c56e7
SHA256 5ad06eda999a9f2f28c2057ba40bd2f7b6a7cb2e1915104b2724753649e97de5
SHA512 f8755cc94edba4f280e57e2cfdad41baaaa0831e20828afb153e7829d1667e420f2f2588584a302309d18139d4d2093233d16bbf1e7bb858d3ebf8adad461279
Ssdeep 384:nFZQZtDGGkLmTUrioRPATRn633Dmej0SnJzbmiVywP0jKk:nSoqwT2J633DVgiVy25
PEiD None matched
Yara None matched
VirusTotal Permalink
VirusTotal Scan Date: 2016-11-04 14:52:10
Detection Rate: 44/55 (Expand)

Signatures

No signatures matched

Screenshots

Static Analysis

Strings

Dropped Files

4826c0d860af884d_~wrs{fa63aed5-59f6-4892-86ed-1cb056a2f756}.tmp

b27b98df298e685e_~$normal.dotm

Network Analysis

Nothing to display.

Behavior Summary

File-Written
  • \\?\PIPE\lsarpc
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm
  • C:\Documents and Settings\Administrator\Local Settings\Temp\~$voice_J-19161427.doc
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{FA63AED5-59F6-4892-86ED-1CB056A2F756}.tmp
  • \\?\PIPE\ROUTER
File-Opened
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
  • C:\WINDOWS\system32\wshom.ocx
  • C:\WINDOWS\system32\netmsg.dll
  • C:\
  • C:\Program Files\Microsoft Office\Office12\MSWORD.OLB
  • C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\
  • C:\WINDOWS\system32\msscript.ocx
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Word12.pip
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
  • c:\AUTOEXEC.BAT
  • C:\Program Files\Microsoft Office\Office12\ID_00030.DPC
  • C:\Documents and Settings\Administrator\Cookies\
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\
  • C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\OPA12.BAK
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
  • C:\WINDOWS\system32\ras\
  • C:\WINDOWS\system32\MSCTFIME.IME
  • C:\WINDOWS\system32\shell32.dll
  • C:\WINDOWS\system32\credssp.dll
  • C:\Documents and Settings\Administrator\Local Settings\Temp\
  • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Cultures\OFFICE.ODF
  • C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
  • \\?\PIPE\lsarpc
  • C:\WINDOWS\system32\tapi32.dll
  • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSO.DLL
  • C:\Documents and Settings\All Users\Documents\desktop.ini
  • C:\Program Files\Microsoft Office\Office12\
  • C:\Program Files\Microsoft Office\Office12\STARTUP\
  • C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa12.dat
  • C:\Documents and Settings\Administrator\
  • C:\WINDOWS\system32\stdole2.tlb
  • C:\WINDOWS\system32\imm32.dll
  • C:\Documents and Settings\Administrator\Local Settings\Temp\invoice_J-19161427.doc
  • C:\WINDOWS\system32\MSIMTF.dll
  • C:\Documents and Settings\
  • C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
  • C:\Documents and Settings\Administrator\Local Settings\
  • C:\Documents and Settings\Administrator\Application Data\desktop.ini
  • C:\WINDOWS\system32\rsaenh.dll
  • C:\Program Files\
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dotm
  • C:\Documents and Settings\All Users\
  • C:\Documents and Settings\Administrator\Application Data\
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\
  • C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL
  • C:\WINDOWS\
  • C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
  • C:\Documents and Settings\Administrator\My Documents\desktop.ini
  • C:\Documents and Settings\Administrator\Local Settings\History
  • C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Office\
  • C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\STARTUP\
  • C:\WINDOWS\system32\msxml3.dll
  • \\?\PIPE\ROUTER
  • C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\
  • C:\Documents and Settings\Administrator\Cookies\index.dat

Processes

registry filesystem process services network synchronization

lsass.exe PID: 644, Parent PID: 588

WINWORD.EXE PID: 812, Parent PID: 1532

Volatility

Nothing to display.